Introduction

FlexVPN is the new Internet Key Exchange version 2 (IKEv2)-based VPN infrastructure on Cisco IOS® and is meant to be a unified VPN solution. This document describes how to configure the IKEv2 client that is built into Windows 7 in order to connect a Cisco IOS headend with the utilization of a Certificate Authority (CA).

Note: The Adaptive Security Appliance (ASA) now supports IKEv2 connections with the Windows 7 built-in client as of Release 9.3(2).

Note: SUITE-B protocols do not work because the IOS headend does not support SUITE-B with IKEv1, or the Windows 7 IKEv2 Agile VPN client does not currently support SUITE-B with IKEv2.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

Windows 7 built-in VPN client

Cisco IOS Software Release 15.2(2)T

Certificate Authority - OpenSSL CA

Components Used

The information in this document is based on these hardware and software versions:

Windows 7 built-in VPN client

Cisco IOS Software Release15.2(2)T

Certificate Authority - OpenSSL CA

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Configure

Overview

There are four major steps in configuration of the Windows 7 built-in IKEv2 client in order to connect a Cisco IOS headend with the utilization of a CA:

Configure CA

The CA should allow you to embed the required Extended Key Usage (EKU) in the certificate. For example, on the IKEv2 server, 'Server Auth EKU' is required, while the client certificate needs 'Client Auth EKU.' Local deployments can make use of:

Configure Cisco IOS Headend

Obtain a Certificate

The certificate must have the EKU fields set to 'Server Authentication' for Cisco IOS and 'Client Authentication' for the client. Typically, the same CA is used to sign both the client and server certificates. In this case, both 'Server Authentication' and 'Client Authentication' are seen on the server certificate and client certificate respectively, which is acceptable.

If the CA issues the certificates in Public-Key Cryptography Standards (PKCS) #12 format on the IKEv2 server to the clients and the server, and if the certificate revocation list (CRL) is not reachable or available, it must be configured:

The IP unnumbered of the virtual-template should be anything exceptthe local-address used for the IPsec connection. [If you use a hardware client, you would exchange routing information via IKEv2 configuration node and create a recursive routing issue on the hardware client.]

Configure Windows 7 Built-In Client

This procedure describes how to configure the Windows 7 built-in client.

Navigate to the Network and Sharing Center, and click Set up a new connection or network.

Click Use my Internet connection (VNP). This allows you to setup a VPN connection negotiated over a current Internet connection.

Enter the fully qualified domain name (FQDN) or the IP address of the IKEv2 server, and give it a Destination name to identify it locally.

Note: The FQDN must match the Common Name (CN) from the router identity certificate. Windows 7 drops the connection with an error 13801 if it detects a mismatch.

Because additional parameters need to be set, check Don't connect now; just set it up so I can connect later, and click Next:

Do not fill in the User name, Password and Domain (optional) fields because Certificate Authentication is to be used. Click Create.

Note: Close the resultant window. Do not try to connect.

Navigate back to the Network and Sharing Center, and click Change adapter settings.

Choose the Logical Adapter FlexVPN-IOS, which is the result of all the steps taken to this point. Click its properties. These are the properties of the newly created Connection profile called FlexVPN-IOS:

On the Security tab, the type of VPN should be IKEv2.

In the Authentication section, choose Use machine certificates.

The FlexVPN-IOS profile is now ready to be connected after you have imported a certifcate to the machine certificate store.

Obtain Client Certificate

The client certificate requires these factors:

The client certificate has an EKU of 'Client Authentication'. Also, the CA gives a PKCS#12 certificate:

Important Details

'IPSec IKE intermediate' (OID = 1.3.6.1.5.5.8.2.2) should be used as EKU if both of these statements apply:

The IKEv2 server is a Windows 2008 server.

There are more than one Server Authentication Certificate in use for IKEv2 connections. If this is true, either place both 'Server Authentication' EKU and 'IPSec IKE Intermediate' EKU on one certificate, or distribute these EKUs among the certificates. Make sure at least one certificate contains 'IPSec IKE Intermediate' EKU.

In a FlexVPN deployment, do not use 'IPSec IKE Intermediate' in EKU. If you do, the IKEv2 client does not pick up the IKEv2 server certificate. As a result, they are not able to respond to CERTREQ from IOS in the IKE_SA_INIT response message and thus fail to connect with a 13806 Error ID.

While the Subject Alternative Name (SAN) is not required, it is acceptable if the certificates have one.

On the Windows 7 Client Certificate Store, make sure that the Machine-Trusted Root Certificate Authorities Store has the least number of certificates possible. If it has more than 50 or so, Cisco IOS might fail to read the entire Cert_Req payload, which contains the Certificate Distinguished Name (DN) of all the known CAs from the Windows 7 box. As a result, the negotiation fails and you see the connection time-out on the client.

Verify

Use this section to confirm that your configuration works properly.

The Output Interpreter Tool (registered customers only) supports certain show commands. Use the Output Interpreter Tool in order to view an analysis of show command output.